Trying to create an exclusion for a process with a specific cmdlet (exploit)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Trying to create an exclusion for a process with a specific cmdlet (exploit)

L0 Member

For the past couple of days, we have received a low priority alert with the following params:

Source: XDR Agent

Category: Exploit

Action: Prevented (Blocked)

 

In researching the alert in the alert table, I have determined that the action is tied with a homegrown powershell cmdlet. 

 

My conundrum is I want to create an exclusion for the specific powershell.exe Get-CustomCmdlet. However, since this is a support terminal server with numerous support users, I do not want to just give carte-blanche access to powershell. I haven't been able to figure out this specific scenario. 

3 REPLIES 3

L4 Transporter

Hi @RNance

 

My recommendation would be to create an exception for this activity. The exception would only allow the custom script to get past only the referenced exploit protection rule while still applying other exploit protection rules as desired. You can create an exception for this exploit rule by right-clicking the alert, going to "manage alert," and then selecting "create alert exception."

 

exploit_exception_TakeI.gif


This exception can be applied globally or to a specific profile that would only affect a set of devices, whichever is more appropriate for your environment. Given that your description only mentions one terminal server, I would recommend creating a unique exceptions profile and applying it only to that endpoint. Instructions on how to create an exceptions profile can be found here.

 

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events!

*Cortex XDR Customer Corner: https://live.paloaltonetworks.com/t5/cortex-xdr-customer-corner/ct-p/Cortex_XDR_Customer_Corner

Join our Cortex XDR Office Hours to receive live guidance and training from our Customer Success Architects.

*Cortex XDR Office Hours [NAM]: https://paloaltonetworks.zoom.us/webinar/register/3316669859020/WN_yMpAB-aBTt6xk2h-gsra4w
*Cortex XDR Office Hours [EMEA/APAC]: https://paloaltonetworks.zoom.us/webinar/register/4116709604301/WN_CZuFE5CHQbG9LUEqugsIOw

Yes, however when creating an exception in that manner, all it really does (or at least says) is that will create a Generic alert based on the process name powershell.exe. However, I need it to go beyond just powershell.exe and to include the cmdlet. Essentially, I need to create an exception based more on the "Initiator Cmd" as opposed to just the "Initiated By". The way the exception is perceived is that you are providing an exception just to powershell.exe, which is too broad. 

 

I was envisioning something akin to Malicious Child Process Protection where you can define a child process command line param. The difference here is that powershell is the parent process and there is no child process in this example. Thanks. 

Hi @RNance,

 

Creating an exception would prevent the rule from executing, allowing the PowerShell script to run. The alert, on the other hand, may well be generated in a generic format, which can be suppressed via exclusion. However, permitting the script to run is a use-case for the exploit rule exception. Furthermore, exploit protection exceptions do not support target scripts as a parameter at this moment in time. That would be a feature request at this point, which your account team should be able to report on.

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events!

*Cortex XDR Customer Corner: https://live.paloaltonetworks.com/t5/cortex-xdr-customer-corner/ct-p/Cortex_XDR_Customer_Corner

Join our Cortex XDR Office Hours to receive live guidance and training from our Customer Success Architects.

*Cortex XDR Office Hours [NAM]: https://paloaltonetworks.zoom.us/webinar/register/3316669859020/WN_yMpAB-aBTt6xk2h-gsra4w
*Cortex XDR Office Hours [EMEA/APAC]: https://paloaltonetworks.zoom.us/webinar/register/4116709604301/WN_CZuFE5CHQbG9LUEqugsIOw
  • 4392 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!